https://community.cisco.com/t5/network-security/zone-base-firewall/m-p/1552136#M623129 <HTML><HEAD></HEAD><BODY><P>Hey George,</P><P></P><P>To view the sessions being created, use the command "show policy-map type inspect zone-pair NAME sessions". Replace NAME with the name of the corresponding zone-pairs.</P><P></P><P>To enable logging of dropped packets by zone based firewall, use the command "ip inspect log drop-pkt". You should then be able to see syslogs of dropped packets (along with details of zone-pair and class-map being hit).</P><P></P><P>Hope this helps!!</P><P></P><P>Thanks and Regards,</P><P>Prapanch</P></BODY></HTML> Sun, 10 Oct 2010 11:53:49 GMT praprama 2010-10-10T11:53:49Z https://community.cisco.com/t5/network-security/zone-base-firewall/m-p/1552135#M623118 <P>Hi,</P><P></P><P>i have been doing some ZBF configuration on 2811 router with IOS version "advsecurityk9-mz.124-15.T10"</P><P></P><P>i configured a zone-pair from inside to outside with its policy-map and class-map (for the traffic that are initiated from inside),</P><P>the flow is 90% form inside to outside. i also configured zone-pair from outside to inside for the other 10% opposite traffic.</P><P></P><P>the problem is that some traffic are being stopped from inside to outside, and i am not able to track it or log it somehow.</P><P></P><P>my class-map is based on access-list (very long one). since i cannot log a line in an access-list, for example: deny ip any any <SPAN style="text-decoration: underline;">log</SPAN> (not permitted)</P><P></P><P>i tried:</P><P>1- "show ip inspect session" but i cannot see any output (i read that it is for CBAC)</P><P>2-&nbsp; "show policy-map type inspect zone-pair" displays some counter for established session</P><P></P><P><STRONG>The question is, how i can see the sessions and what is being blocked?</STRONG></P><P></P><P></P><P>...............................</P><P>class-map type inspect match-any c2<BR /> match access-group name fromOut<BR />class-map type inspect match-any c1<BR /> match access-group name fromIn<BR />!<BR />policy-map type inspect fromIn</P><P> class type inspect c1<BR />&nbsp; inspect<BR /> class class-default<BR />&nbsp; drop log<BR />policy-map type inspect fromout<BR /> class type inspect c2<BR />&nbsp; inspect<BR /> class class-default<BR />&nbsp; drop log<BR />!</P><P></P><P></P><P></P><P>Thank and Regards,</P><P>George</P> Mon, 11 Mar 2019 18:52:37 GMT https://community.cisco.com/t5/network-security/zone-base-firewall/m-p/1552135#M623118 gaboughanem 2019-03-11T18:52:37Z https://community.cisco.com/t5/network-security/zone-base-firewall/m-p/1552136#M623129 <HTML><HEAD></HEAD><BODY><P>Hey George,</P><P></P><P>To view the sessions being created, use the command "show policy-map type inspect zone-pair NAME sessions". Replace NAME with the name of the corresponding zone-pairs.</P><P></P><P>To enable logging of dropped packets by zone based firewall, use the command "ip inspect log drop-pkt". You should then be able to see syslogs of dropped packets (along with details of zone-pair and class-map being hit).</P><P></P><P>Hope this helps!!</P><P></P><P>Thanks and Regards,</P><P>Prapanch</P></BODY></HTML> Sun, 10 Oct 2010 11:53:49 GMT https://community.cisco.com/t5/network-security/zone-base-firewall/m-p/1552136#M623129 praprama 2010-10-10T11:53:49Z https://community.cisco.com/t5/network-security/zone-base-firewall/m-p/1552137#M623146 <HTML><HEAD></HEAD><BODY><P>edited as the answer is above.</P></BODY></HTML> Mon, 11 Oct 2010 21:17:50 GMT https://community.cisco.com/t5/network-security/zone-base-firewall/m-p/1552137#M623146 golly_wog 2010-10-11T21:17:50Z